Mercurial > prosody-modules
annotate mod_muc_restrict_media/mod_muc_restrict_media.lua @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 21:14:19 +0100 |
| parents | 1682166171ff |
| children |
| rev | line source |
|---|---|
|
4787
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 module:depends"muc"; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
|
4904
1919cff763d4
mod_muc_restrict_media: Fix logic inversion on default value
Matthew Wild <mwild1@gmail.com>
parents:
4789
diff
changeset
|
3 local restrict_by_default = module:get_option_boolean("muc_room_default_restrict_media", true); |
|
4787
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local function should_restrict_media(room) |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 local restrict_media = room._data.restrict_media; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 if restrict_media == nil then |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 restrict_media = restrict_by_default; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 end |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 return restrict_media; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 end |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 module:hook("muc-config-form", function(event) |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 local room, form = event.room, event.form; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 table.insert(form, { |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 name = "{xmpp:prosody.im}muc#roomconfig_unaffiliated_media", |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 type = "boolean", |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 label = "Display inline media (images, etc.) from non-members", |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 value = not should_restrict_media(room), |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 }); |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 end); |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 module:hook("muc-config-submitted", function(event) |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 local room, fields, changed = event.room, event.fields, event.changed; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 local new_restrict_media = not fields["{xmpp:prosody.im}muc#roomconfig_unaffiliated_media"]; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 if new_restrict_media ~= should_restrict_media(room) then |
|
4905
e9ac68f9bc16
mod_muc_restrict_media: Fix traceback when checking default (thanks Martin)
Matthew Wild <mwild1@gmail.com>
parents:
4904
diff
changeset
|
27 if new_restrict_media == restrict_by_default then |
|
4787
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 room._data.restrict_media = nil; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 else |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 room._data.restrict_media = new_restrict_media; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 end |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 if type(changed) == "table" then |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 changed["{xmpp:prosody.im}muc#roomconfig_unaffiliated_media"] = true; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 else |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 event.changed = true; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 end |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 end |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 end); |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 module:hook("muc-disco#info", function (event) |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 local room, form, formdata = event.room, event.form, event.formdata; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 local allow_unaffiliated_media = not should_restrict_media(room); |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 table.insert(form, { |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 name = "{xmpp:prosody.im}muc#roomconfig_unaffiliated_media", |
|
4789
f06d04cfea7d
mod_muc_restrict_media: Fix disco#info field (thanks mirux)
Kim Alvefur <zash@zash.se>
parents:
4787
diff
changeset
|
46 type = "boolean", |
|
4787
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 }); |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 formdata["{xmpp:prosody.im}muc#roomconfig_unaffiliated_media"] = allow_unaffiliated_media; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 end); |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 |
|
5171
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
51 local function strip_xhtml_img(tag) |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
52 if tag.attr.xmlns == "http://www.w3.org/1999/xhtml" and tag.name == "img" then |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
53 tag.name = "i"; |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
54 tag:text(tag.attr.alt or "<image blocked>"); |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
55 tag.attr = { xmlns = tag.attr.xmlns, title = tag.attr.title }; |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
56 tag:maptags(strip_xhtml_img); |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
57 else |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
58 tag:maptags(strip_xhtml_img); |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
59 end |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
60 |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
61 return tag; |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
62 end |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
63 |
|
4787
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 local function filter_media_tags(tag) |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 local xmlns = tag.attr.xmlns; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 if xmlns == "jabber:x:oob" then |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 return nil; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 elseif xmlns == "urn:xmpp:reference:0" then |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 if tag:get_child("media-sharing", "urn:xmpp:sims:1") then |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 return nil; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 end |
|
5171
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
72 elseif xmlns == "http://jabber.org/protocol/xhtml-im" then |
|
1682166171ff
Strip images from XHTML-IM as well
Stephen Paul Weber <singpolyma@singpolyma.net>
parents:
4962
diff
changeset
|
73 return strip_xhtml_img(tag); |
|
4787
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
74 end |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
75 return tag; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
76 end |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
77 |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 module:hook("muc-occupant-groupchat", function (event) |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
79 local stanza = event.stanza; |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
80 if stanza.attr.type ~= "groupchat" then return; end |
|
4962
5a3031613dbc
mod_muc_restrict_media: Don't apply restriction to affiliated users
Kim Alvefur <zash@zash.se>
parents:
4905
diff
changeset
|
81 if event.room:get_affiliation(stanza.attr.from) then return end |
|
4787
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
82 if should_restrict_media(event.room) then |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
83 stanza:maptags(filter_media_tags); |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
84 end |
|
df2246b15075
mod_muc_restrict_media: Allow hiding inline media from unaffiliated users in MUCs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
85 end, 20); |